Mozilla to remove DNT - maybe we should too?

[moonbat]

Link.

It always seemed pointless anyway - better to control one's privacy directly with appropriate adblocking and extensions than rely on some company's pinky swear.

[RealityRipple]

We replaced DNT with Sec-GPC like... forever ago.

[jobbautista9]

Tbh I'm surprised it took them this long to replace DNT.

Anyway it's kinda funny (and sad) that Mozilla is getting shit on again by privacy-freaks for removing DNT..

[Pentium4User]

Its simply reality: The tracker companies won't care about that header.

[Moonchild]

Anyway it's kinda funny (and sad) that Mozilla is getting shit on again by privacy-freaks for removing DNT..

If they are just removing it without replacing it with sec-GPC (like we have done) then they deserve at least some of that flak.
On its face though, if they are just screeching about it being removed, then the privacy-freaks are clearly not taking 5 minutes to understand that the DNT header is completely unenforceable and has never been adopted server-side as anything meaningful as a result.

DNT: No legal backing framework, unenforceable because modern web applications require at least some form of what is too broadly described in the DNT spec as "tracking". This targets the collection of data, even necessary internal data.
GPC: Has legal backing, and only aims to restrict the sharing and selling of user data, not the collecting of it for internal purposes, which is enforceable. GPC makes a lot more sense with complex web applications that need session-based interaction with servers and must collect some data to function. Companies cannot sell or share the data they collect this way which is all that matters.

[jobbautista9]

If they are just removing it without replacing it with sec-GPC (like we have done) then they deserve at least some of that flak.

They've already added GPC support before the removal, so it's effectively a replacement like we did, just delayed unlike us in which we did both removal of DNT and addition of GPC in the same version. I don't think Mozilla is that foolish to not give an alternative to DNT..

DNT: No legal backing framework

Apparently Germany legally recognizes it and their court argued that the DNT signal is a "valid objection" to the "processing of personal data" under the GDPR. https://www.vzbv.de/en/court-prohibits- ... ringements

[Moonchild]

Apparently Germany legally recognizes it and their court argued that the DNT signal is a "valid objection" to the "processing of personal data" under the GDPR.

But that's not what the DNT signal means. DNT has nothing to do with the GDPR as it doesn't only involve personal data as defined under the GDPR, but rather any unique identifier or combination thereof and the signal aims to prevent collection of such data (see quote below, take special note of not just the sharing of data but also the retention and use). The German court's interpretation is almost a redefinition of what the signal means because it redefines the scope. As a result, this falls apart immediately when the interaction isn't between a German user and a German host/company that also recognises the limited interpreted scope as defined by the court. GPC is however backed by legal entities and regulations that actually do have some teeth, because it legally restricts (on legal penalty) the sharing or selling of user data. This falls immediately in line with the GDPR, CCPA and similar legislation, and puts the barrier of data not between the user and a company the user interacts with, but rather between that company and the rest of the world (a much more logical place). After all, if you do business with a company, you would assume to have trust in that company to process necessary data -- but not extend that trust to any 3rd party implicitly. I hope that makes sense; not sure how better to explain the situation.

Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.

[BenFenner]

Companies cannot sell or share the data they collect this way which is all that matters.

That may be all that matters to you, but in context, some of us (myself included) do not want the company itself to track us, or store data they collect about us this way.

(Don't confuse this statement as a defense of the DNT concept as implemented. It is obviously hugely flawed.)

[jobbautista9]

But that's not what the DNT signal means.

Yeah tbh I don't like the German ruling either. It just made DNT more ambiguous, and this move by Germany should make all of us in the web community prioritize getting rid of it before it gets a comeback and politicians dictate what "tracking" is...

some of us (myself included) do not want the company itself to track us, or store data they collect about us this way.

And that's where technical solutions like content blockers (and depending on your threat model, proxying software like Tor and using private browsing or incognito mode) come in. Political solutions should go to selling and sharing of data where things are much clearer.

[BenFenner]

Yes, point taken (except about private browsing/incognito mode which has absolutely nothing to do with keeping things private from the URLs one visits).

[jobbautista9]

PB will not save cookies and other temporary data on exit which defeats tracking in one front. Though I guess I could've said it more clearly yeah.

[Mæstro]

I support the German redefinition of DNT. I am German, so I stand directly to benefit from it, but foreigners might also benefit in the same way that non-EU residents can still benefit from the GDPR. If a foreign site wishes to process German users’ data, it must do so according to our laws, and this means respecting our definition of DNT. In a democracy, the people have the power to tell firms what to do, and this includes (re)defining technical measures to protect our interests.

[Moonchild]

The whole point is that GPC is already established and enforceable without redefining it.
"too little too late" and all that.

Anyway to get back to the topic; we haven't had DNT since the time I replaced it with GPC in May 2022. Even if you'd like to, being in Germany, you can't send it any longer from within Pale Moon (unless you create an extension that tacks it on as a header to each request). It's literally been replaced with the sec-GPC header. Any strict anti-tracking you may want to enforce based on non-account-linked data will have to be done by using blockers, VPNs, and similar technologies that prevent collection of potentially identifiable markers on websites you publicly visit.

[Mæstro]

I agree with you and am not concerned; I already use such strict measures and expect that GPC should carry the same legal weight as DNT here.